Add global workaround for applications

Because the previous patch changes the behavoir of jwcrypto, this knob is a quick way for application developers to get back the old behavior temporarily without having to change the code immediately as it may require some significant refactoring, depending on how the application was written. This is not intended to be used in the long term and will be eventually deleted. Unfortunately I cannot decorate a simply global variable with the @deprecated decoration to make it clearer. Signed-off-by: Simo Sorce <simo@redhat.com>
latchset · Sep 13, 2022 · 48514fc · 48514fc
1 parent 444acd1
commit 48514fc
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/docs/source/jwt.rst b/docs/source/jwt.rst
@@ -14,6 +14,13 @@ Classes
    :members:
    :show-inheritance:
 
+Variables
+---------
+
+.. autodata:: jwcrypto.jwt.JWTClaimsRegistry
+
+.. autodata:: jwcrypto.jwt.JWT_expect_type
+
 Examples
 --------
 

diff --git a/jwcrypto/jwt.py b/jwcrypto/jwt.py
@@ -22,8 +22,18 @@
                      'nbf': 'Not Before',
                      'iat': 'Issued At',
                      'jti': 'JWT ID'}
+"""Registry of RFC 7519 defined claims"""
 
 
+# do not use this unless you know about CVE-2022-3102
+JWT_expect_type = True
+"""This module parameter can disable the use of the expectation
+   feature that has been introduced to fix CVE-2022-3102. This knob
+   has been added as a workaround for applications that can't be
+   immediately refactored to deal with the change in behavior but it
+   is considered deprecated and will be removed in a future release.
+"""
+
 class JWTExpired(JWException):
     """JSON Web Token is expired.
 
@@ -542,11 +552,11 @@ def validate(self, key):
         validate_fn = None
 
         if isinstance(self.token, JWS):
-            if et != "JWS":
+            if et != "JWS" and JWT_expect_type:
                 raise TypeError("Expected {}, got JWS".format(et))
             validate_fn = self.token.verify
         elif isinstance(self.token, JWE):
-            if et != "JWE":
+            if et != "JWE" and JWT_expect_type:
                 print("algs: {}".format(self._algs))
                 raise TypeError("Expected {}, got JWE".format(et))
             validate_fn = self.token.decrypt

diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
@@ -1763,6 +1763,11 @@ def test_unexpected(self):
         token.make_encrypted_token(key)
         enctok = token.serialize()
 
+        # test workaroud for older applications
+        jwt.JWT_expect_type = False
+        jwt.JWT(jwt=enctok, key=key)
+        jwt.JWT_expect_type = True
+
         token.validate(key)
         token.expected_type = "JWE"
         token.validate(key)